Risk Management in Real Projects (Not the Spreadsheet Version)
Every project has a risk register.
Most projects also have risks that never made it into it.
They were:
-
Too political
-
Too awkward
-
Too uncomfortable to name
-
Or too obvious to feel worth logging
This field guide is about those risks — the ones everyone senses, few document, and almost no one owns until it’s too late.
Why Risk Looks Manageable on Paper
On paper, risk management is reassuring.
Risks are:
-
Identified
-
Scored
-
Categorized
-
Assigned owners
Heat maps glow in calm gradients of green and amber.
What’s missing is not technique.
It’s honesty.
Most real risks don’t fit neatly into likelihood and impact boxes — because they’re social, political, and structural.
The Risks Nobody Wants to Write Down
The most dangerous risks are rarely technical.
They sound like:
-
“The sponsor is disengaged”
-
“This dependency will never resolve on time”
-
“We don’t actually understand the requirement”
-
“Leadership expectations don’t match reality”
These risks are sensed early.
They just don’t survive the meeting.
Why Logging Risk Feels Like Escalation
In theory, logging a risk is neutral.
In practice, it feels like:
-
Questioning competence
-
Challenging optimism
-
Creating visibility people didn’t ask for
So teams soften language.
They downgrade severity.
They defer escalation.
The risk isn’t removed.
It’s camouflaged.
The Illusion of Ownership
Every risk has an owner.
Very few owners have:
-
The authority to mitigate it
-
The influence to escalate it
-
The safety to speak plainly about it
Ownership without power is symbolic.
It makes the register complete
while leaving the risk untouched.
When Risks Become Issues (Quietly)
Most risks don’t explode.
They erode.
They show up as:
-
Missed handoffs
-
Compressed timelines
-
Reduced quality
-
Normalized overtime
By the time a risk is reclassified as an issue, the project has already absorbed the cost.
The register updates.
The outcome doesn’t change.
Why Risk Reviews Become Rituals
Risk reviews often exist to prove diligence, not to change outcomes.
They:
-
Confirm what’s already known
-
Avoid what’s politically sensitive
-
End with “monitor closely”
The ritual is completed.
The risk remains.
How Real Projects Actually Manage Risk
Projects that survive don’t manage more risks.
They manage fewer — but more honestly.
They:
-
Name uncomfortable risks early
-
Treat escalation as a design choice, not a failure
-
Accept that some risks cannot be mitigated — only acknowledged
They understand that risk management is less about control and more about shared awareness.
Risk Is a Social System, Not a Spreadsheet
Risk does not live in cells.
It lives in:
-
Conversations that don’t happen
-
Signals that get ignored
-
Decisions that are postponed
The spreadsheet is a record.
The project is the reality.
Confusing the two is where risk management quietly fails.
“Risk escalates fastest when responsibility is unclear.”
➡ Project Roles & Responsibility Gaps
➡ Risk Registers and the Illusion of Control
